​Why the CIO should care about Cyber Security

In the past Information Security and Risk were not in any measure a key focus areas for the CIO. Today there are multiple risks that every business faces and cyber security is now becoming on the radar of the both the board and the CIO.

What happened? Well as businesses moved into the increasing digital agenda we have seen basic manual procedures become digitized and as a result this is now very much in-scope for hackers to target.

There have been very public events like the Target breach, which has increased the awareness of the threat and the potential for reputational damage.

Not a Performance measure in sight

But despite this increased sensitivity, it would be unusual to find a CIO that has specific performance plan measures that relate to Cyber Security. For the average CIO, there are always an increasing number of objectives that are added to your annual review.

Usually there are too many and the wise CIO will try to keep this to no more than 6-7 specific objectives. In this context it is not surprising that the CIO will have a more general written goal that encapsulates risk management and compliance. Within the body of this goal, would you find a reference to “Cyber”.

Where does the CISO report?

It is the case that we can find that the CISO reports into the CIO. However it is also apparent that we often find the CISO actually has a reporting line into a CTO.

One can argue that neither of these is ideal, you either report into the person in charge of technology or the person responsible for the IT Strategy & overall delivery.

At face value this all looks ok, but when there is a conflict of priorities then who wins the argument. I’ve seen large programs of work and also digital transformation changes where there is someone arguing to short change the cyber security (penetration tests) that is where the CISO comes into conflict with a CIO manager.

On the other hand, when a CISO reports into the CTO – one can find that server patching might not be as higher priority as some other new cloud migration

I’ve recently read some interesting reports that argued that the CISO should report into the CEO. That’s another question in itself, but for now I would say it is best to have the CISO report as high in the organisation as possible.

In each case we have a cyber security threat that has the potential to both disrupt the business, and also cause reputational damage to the enterprise. Hence the Board cares and as a result you the CIO has to pay attention to these new threats.

This is not a topic that is going to win you any new reward for doing well. In this regard there is no “carrot” just a ‘stick”, should you and your team not succeed in keeping cyber security threats at bay.

The only benefit is that you may be able to retain your position by managing what is now a significant enterprise risk.

Latest Videos

​Email fraud is nothing new, but online criminals have become ever more-effective at spoofing their identities to trick employees into sending them money. The Australian Centre for Cyber Security (ACSC) recorded losses of over $20M to business email compromise (BEC) attacks last year alone, up 230 percent over the previous year – and the full amount is certain to be much larger.​

No matter how robust your security, or how diligent your employees, network credentials are a free pass for cybercriminals. This is mostly because employees are relied upon for their own password management. And with more than 4.8 billion sets of stolen credentials said to be available online, odds are that at least a few of your employees’ user IDs and passwords are just waiting to be used by unscrupulous outsiders. Are you ready to stop them?

Cyber resilience will be particularly important as Australian organisations face increased pressure to quickly detect, respond to, and manage the repercussions of breaches in the wake of 2018’s Notifiable Data Breaches (NDB) scheme.

Copyright 2018 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.